From b0ab78343b79a463aef02aa6b690eb65ea4cda74 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 6 Feb 2026 19:01:55 +0000 Subject: [PATCH] =?UTF-8?q?Add=20content=20from:=20clsdumper=20=E2=80=94?= =?UTF-8?q?=20Android=20Dynamic=20Class=20Dumper=20(dump=20all=20DEX=20fil?= =?UTF-8?q?es...?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../frida-tutorial/README.md | 46 ++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md index 306f47692fa..30821152a10 100644 --- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md +++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md @@ -114,7 +114,7 @@ If the APK is debuggable (android:debuggable="true"), you can attach over JDWP a - Repo: https://github.com/frankheat/frida-jdwp-loader - Requirements: ADB, Python 3, USB/Wireless debugging. App must be debuggable (emulator with `ro.debuggable=1`, rooted device with `resetprop`, or rebuild manifest). -Quick start +Quick start: ```bash git clone https://github.com/frankheat/frida-jdwp-loader.git cd frida-jdwp-loader @@ -285,6 +285,49 @@ Java.perform(function () { Run the script with `frida -U -f -l disable-flag-secure.js --no-pause`, interact with the UI, and screenshots/recordings will work again. Because everything happens on the UI thread there is no flicker, and you can still combine the hook with HTTP Toolkit/Burp to capture the traffic that revealed the `/channel` PIN leak. +## Dynamic DEX dumping / unpacking with clsdumper (Frida) + +`clsdumper` is a Frida-based dynamic **DEX/class dumper** that survives hardened apps by combining an anti-Frida pre-stage with native and Java discovery strategies (works even if `Java.perform()` dies). Requirements: Python 3.10+, rooted device with `frida-server` running, USB or `--host` TCP connection. + +**Install & quick use** +```bash +pip install clsdumper +# Attach to a running app +clsdumper com.example.app +# Spawn first (hooks before early loaders) +clsdumper com.example.app --spawn +# Select strategies +clsdumper com.example.app --strategies fart_dump,oat_extract +``` + +**CLI options (most useful)** +- `target`: package name or PID. +- `--spawn`: spawn instead of attach. +- `--host `: connect to remote frida-server. +- `--strategies `: limit/choose extractors; default is all except `mmap_hook` (expensive). +- `--no-scan` / `--deep-scan`: disable or slow deep memory scan (adds CDEX scanning). +- `--extract-classes`: post-process dumps into `.smali` via androguard. +- `--no-anti-frida`: skip the pre-hook bypass stage. +- `--list` / `--list-apps`: enumerate running processes or installed packages. + +**Anti-instrumentation bypass (phase 0)** +- Hooks `sigaction`/`signal` to block registration of crash/anti-debug handlers. +- Serves a filtered `/proc/self/maps` via `memfd_create` to hide Frida regions. +- Monitors `pthread_create` to catch/neutralize watchdog threads hunting Frida. + +**DEX discovery (phases 1–2)** — multiple complementary strategies with per-hit metadata + deduplication (agent-side djb2, host-side SHA-256): +- Native (no Java bridge needed): `art_walk` (walk ART Runtime→ClassLinker→DexFile), `open_common_hook` (hook `DexFile::OpenCommon`), `memory_scan` (DEX magic in readable maps), `oat_extract` (parse mapped .vdex/.oat), `fart_dump` (hook `DefineClass` + walk `class_table_`), `dexfile_constructor` (hook `OatDexFile` constructors), `mmap_hook` (watch `mmap/mmap64`, off by default for perf). +- Java (when available): `cookie` (read `mCookie` from ClassLoaders), `classloader_hook` (monitor `loadClass`, `DexClassLoader`, `InMemoryDexClassLoader`). + +**Output layout** +``` +dump_/ + dex/classes_001.dex ... + classes/ # only when --extract-classes + metadata.json # strategy per hit + hashes +``` + +Tip: protected apps often load code from several sources (in-memory payload, vdex/oat, custom loaders). Running with the default multi-strategy set plus `--spawn` maximizes coverage; enable `--deep-scan` only when needed to avoid performance hits. ## Tutorials @@ -479,5 +522,6 @@ Java.choose("com.example.a11x256.frida_test.my_activity", { - ["Super secure" MAGA-themed messaging app leaks everyone’s phone number](https://ericdaigle.ca/posts/super-secure-maga-messaging-app-leaks-everyones-phone-number/) - [Android Frida Hooking: Disabling FLAG_SECURE](https://www.securify.nl/en/blog/android-frida-hooking-disabling-flagsecure/) - [frida-ui](https://github.com/adityatelange/frida-ui) +- [clsdumper — Android Dynamic Class Dumper](https://github.com/TheQmaks/clsdumper) {{#include ../../../banners/hacktricks-training.md}}